Our support team at Thorn Technologies has been fielding questions about the MOVEit file transfer web application recently, with customers asking whether SFTP Gateway is affected by the recent MOVEit vulnerability.
The short answer is no; SFTP Gateway is unaffected by the MOVEit vulnerability. SFTP Gateway and MOVEit are two completely different products built by two unrelated companies. SFTP Gateway does not operate in the same way MOVEit does.
Details from the Thorn Teech support team about the MOVEit vulnerability
Here are more details from the Thorn Tech support team:
In June 2023, SQL injection vulnerabilities were identified in the MOVEit Transfer web application (CVE-2023-34362 and CVE-2023-35036). SFTP Gateway customers have reached out to us, asking about this issue.
SFTP Gateway is not affected by the MOVEit incident. MOVEit is a different product built by another company and is just one of many products in the file transfer space.
The CVE involves SQL injection sent via HTTP. SFTP Gateway does not have a web (HTTP) transfer feature and only supports the SFTP protocol. So, this CVE does not apply.
The Thorn Tech support team also recommends you do the following to ensure you’re operating SFTP Gateway in the most secure way possible. The security recommendations explained below have been our support team’s recommendation since before the MOVEit vulnerability.
Security recommendations for SFTP Gateway customers from the Thorn Tech support team
You should check that ports 443 and 2222 are locked down to only system administrator IP addresses:
- Port 443: The web admin portal lets you manage SFTP users and map them to cloud storage locations.
- Port 2222: You can SSH to the OpenSSH service on port 2222 for server administration. Note: port 22 denies access to the SSH protocol.
Restricting access at the EC2 Security Group level will prevent any attempts to access these privileged ports.
If you have any questions for our support team, please get in touch with them via email at email@example.com. You can learn more about SFTP Gateway and the different options on the SFTP Gateway product grid on our website. SFTP Gateway is a simple, secure, affordable way to give SFTP users access to cloud storage locations.
Be on the lookout for our new product, StorageLink, a web-based file transfer service coming later in 2023. Send us an email if you’re interested in being a beta tester.
Finally, stay tuned to our Knowledge Base for the latest security recommendations and helpful tips related to our file transfer products. You can also connect with us through Twitter, YouTube, and LinkedIn for all the latest news.